How It Works: AuthN/AuthZ — Sessions, JWT, 2FA, OAuth2, CSRF

 

Updated: 2025-08-24

Summary

Authentication proves identity; authorization determines permissions. For browsers, default to server sessions + secure cookies and CSRF defenses. For APIs/mobile, use short‑lived JWT access tokens with refresh tokens. Layer 2FA, strong secrets management, and defense‑in‑depth on every hop.

Sessions (Browser)

- Server stores session state (Redis). Client holds opaque cookie.
- Set cookie flags: HttpOnly; Secure; SameSite=Lax (or Strict for sensitive flows).
- Rotate session on login and privilege changes; short TTL + sliding refresh.
- CSRF protection: double‑submit token or SameSite plus custom header.

# Example Set-Cookie (HTTP response)
Set-Cookie: sid=abc123; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=7200

# CSRF: double submit (store token in session, send in header)
X-CSRF-Token: <random-128-bit>
# Server checks header value matches token in session

JWT (APIs / Mobile)

- Self‑contained claims signed with strong alg (RS256/EdDSA).
- Short access token TTL (5–15 min) + refresh token (days) bound to device.
- Validate: signature, issuer, audience, expiry, not‑before.
- Rotate signing keys; publish JWKs; support kid for key lookup.
- Revoke on risk events via allow/deny lists or rotating `jti` with server list.

// Go: verify RS256 JWT (using github.com/golang-jwt/jwt/v5)
func Verify(tokenStr string, jwkSet *jose.JSONWebKeySet) (*jwt.Token, error) {
  keyfunc := func(t *jwt.Token) (any, error) {
    kid, _ := t.Header["kid"].(string)
    for _, k := range jwkSet.Keys {
      if k.KeyID == kid { return k.Key, nil }
    }
    return nil, errors.New("unknown kid")
  }
  return jwt.Parse(tokenStr, keyfunc, jwt.WithAudience("api"), jwt.WithIssuer("https://auth.example.com"))
}

OAuth2/OIDC (Login with Google/Apple/etc.)

- Use Authorization Code + PKCE for public clients.
- Store minimal profile; map provider subject → internal user ID.
- Keep redirect URIs strict; validate state to prevent CSRF.
- Refresh/rotate tokens on schedule; handle provider outages gracefully.

2FA & Trusted Devices

- Deliver OTP via app/email; rate‑limit attempts.
- “Remember device” = signed, HttpOnly cookie + device record server‑side.
- Expire trust on password change, device removal, or risk signals.
- Backup codes printed once; store hashed.

RBAC and Secure API Design

- Enforce authorization at the edge and in each service.
- Prefer role + fine‑grained permissions/attributes (ABAC) for sensitive ops.
- Deny by default; minimal scopes; never trust client‑supplied roles.

Security Headers & HTTPS

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
Referrer-Policy: no-referrer
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Secrets Management

- Store secrets in vault/KMS; mount via short‑lived tokens.
- Rotate keys regularly; audit usage; avoid secrets in images or logs.
- Pin dependencies; verify signatures; lock down CI/CD secrets.

Auditability

- Log auth flows with request_id and user_id (no passwords/tokens).
- Record 2FA events, scope grants, and admin changes.
- Retain logs per policy; encrypt at rest and in transit.

Pitfalls

- Long‑lived JWTs with broad scopes.
- Missing CSRF protections on cookie‑based APIs.
- Overloading refresh tokens (use rotation and reuse‑detection).
- Not checking `aud`/`iss` → token confusion.

Taylor Swift

“I keep my side of the street clean.”

Comments

Post a Comment

Popular posts from this blog

Learning to Automate My Side Projects with SWE-agent + GitLab

Image
I wanted to share something I built. I managed to connect SWE-agent with my self-hosted GitLab so that Issues can drive automation—and I think it’s kind of cool. (Currently, it isn’t directly supported in SWE-Agent, but there is an issue ( https://github.com/SWE-agent/SWE-agent/issues/760 ) on GitHub to add support. Why wait? ^_^) I’ve been tinkering with SWE-agent in the homelab while between roles. SWE-agent doesn’t natively support GitLab, but that wasn’t going to stop me—I wired it into my self-hosted GitLab instance so Issues drive the automation end-to-end. The Flow I Built 1. Start with an Issue. When I create an Issue, I describe the task in plain language. For example: “create `/taylor-swift` route that responds with JSON key lucky=13.” 2. Label the intent. Add the label `run:swe` and tag the model (in my case: `model:qwen3-coder-30b-a3b-instruct` from LM Studio). There is also a label swe:in-progress so that the pipeline does not pick up in-progress issues. If the pipeline ne...
Read more

Ship-Ready Web Essentials: Search, Sitemap, Metadata & Icons (SvelteKit)

This guide is a pragmatic, production-minded checklist and how-to for hardening a SvelteKit landing site so it’s discoverable by search engines, understandable by AI crawlers, and delightful on modern devices. It includes file locations, example contents, and verification steps. Everything here works even if you only have a single landing page today. Branding note: this document uses a fictional brand (“Example Store”) and domain (example.com). Replace these with your own values when you implement. Quick To-Do Checklist • Serve a real XML sitemap at /sitemap.xml and reference it in robots.txt. • Add a lightweight, server-rendered /search?q=… endpoint (backs JSON-LD SearchAction). • Place ai.txt (allow/deny AI crawlers) and .well-known/security.txt (vuln-reporting). • Wire canonical Open Graph/Twitter tags and og.png for social previews. • Add platform icons (apple-touch-icon.png, safari-pinned-tab.svg) and site.webmanifest. • Harden app.html with meta theme-color (light/dark), color-sc...
Read more

Kubernetes Secrets Management — SOPS + age (GitOps‑friendly)

Image
  Owner: Platform Engineering Audience: Devs & Ops Status: Adopted This document captures the exact process we use to manage Kubernetes secrets with Mozilla SOPS and the age encryption tool. It includes why we chose this approach, how to work with secrets day‑to‑day, and trade‑offs versus other methods. Executive Summary We store Kubernetes Secret manifests in Git encrypted at rest using SOPS with an age public key.  SOPS encrypts your secret values with AES‑256‑GCM , which is industry gold standard. In SOPS you can not swap AES‑256‑GCM out. The age private key lives only in protected CI variables. CI decrypts the manifests at deploy time and applies them with kubectl. No in‑cluster controllers, CRDs, or webhooks are required. Why this approach Top benefits: • Zero in‑cluster installs (no CRDs/controllers to run or break). • GitOps‑native: encrypted YAML sits in the repo; diffs remain readable (metadata & keys stay visible). • Cloud‑agnostic: age works anywhere; no ...
Read more